[Swan] Multiple Route-based VPNs between identical peers
Paul Wouters
paul at nohats.ca
Tue Feb 7 02:07:15 UTC 2017
On Tue, 7 Feb 2017, Craig Marker wrote:
> I’m still having trouble making this configuration work...
>
> Here are my .conf files… Of note: ‘client’ and ‘server’ are names of the certificates. They are unique on each host, despite
> having the same name. Let me know if any logs would be useful.
> mark=0x5/0xff
That's not a full mask, can you instead use:
mark=5/0xffffffff
Similarly for the other marks.
> I believe the problem lies within the ip tunnel creation. On the AWS instance, my tunnels look like this:
>
> tunisp1: ip/ip remote any local 172.31.51.10 ttl inherit key 1
> tunisp2: ip/ip remote any local 172.31.51.10 ttl inherit key 2
>
> If I change the remote to be their public IP address, it’s still identical. It’s unclear how the decision is made for which one
> can pass traffic and which one cannot, but when I delete the tunnel that is passing traffic, the other one becomes able to
> pass traffic.
I think the wrong mask caused traffic to end up on the wrong IPsec SA.
Paul
More information about the Swan
mailing list